Federal Computer Fraud and Abuse Act (CFAA) Does Not Apply To Employee Who Took Data, Resigned and Then Later Used Data

The Federal Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. §1030, was narrowly construed by the 4th Circuit Court of Appeals such that the Act was not violated by an employee, who took computer data while employed by WEC, resigned from the company, went to work for WEC’s competitor and then allegedly used WEC’s data to pitch a project to a customer.  Impressed, the customer hired WEC’s competitor, thereby precipitating the federal CFAA suit with 9 other state law actions.  The employee Miller moved to dismiss the CFAA count and the trial court dismissed the sole federal count and refused to hear the ancillary state court claims.  WEC Carolina Energy Solutions LLC v. Miller, Case No. 11-1201 (4th Cir. July 26, 2012) (available here).  The WEC case is more compelling since it was issued two (2) months after the 9th Circuit Court of Appeals, in United States v Nosal, 676 F.3d 854 (9th Cir. 2012)(en banc), also narrowly construed the CFAA holding that the Act cannot be used to prosecute an employee-hacker.  See our blog herein.

The Court, acknowledging that “[o]ur conclusion here likely will disappoint employers hoping for a means to rein in rogue employees” (slip opn. P. 13, herein “P. 13″), and indicating that “that the distinction between these terms is arguably minute” (P. 9), stated that “we adopt a narrow reading of the terms ‘without authorization’ and ‘exceeds authorized access’ and hold that they apply only when an individual accesses a computer without permission or obtains or alters information on a computer beyond that which he is authorized to access.”  P. 12.  Further, the Court “reject[ed] any interpretation that [] CFAA liability [can be predicated] on a cessation-of-agency theory.”  P. 12.

“Thus, we agree with the district court that although [defendant employees] Miller and Kelley may have misappropriated information, they did not access a computer without authorization or exceed their authorized access. See 18 U.S.C. §§ 1030(a)(2)(C), (a)(4), (a)(5)(B)-(C).”  P. 13.  It should be noted that the 9th Circuit Nosal Court stated that the CFAA is an anti-hacking statute and not a misappropriation statute.  Per Nosal, “the government’s interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute. … If Congress meant to expand the scope of criminal liability to everyone who uses a computer in violation of computer use restrictions — which may well include everyone who uses a computer — we would expect it to use language better suited to that purpose.”  Pp. 3861-62.  The 4th Circuit in WEC did not cite Nosal for this concept that the CFAA does not criminalize improper use of data.

The WEC Court struggled to define “without authorization,” “exceeds authorized access” and “so” in the CFAA.  The Act defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.”  18 U.S.C. §§ 1030(e)(6).

Under the facts of this case, the WEC Court “adopt[ed] a narrow reading of the terms ‘without authorization’ and ‘exceeds authorized access’ and [held] that they apply only when an individual accesses a computer without permission or obtains or alters information on a computer beyond that which he is authorized to access.”  P. 12.

Defendant Miller was a project manager WEC prior to his resignation.  Twenty days later, he made a presentation to a potential WEC customer on behalf of WEC’s competitor, Arc Energy Services, Inc. (Arc). The customer ultimately chose to do business with Arc. WEC’s complaint alleged that Miller had access to numerous confidential and trade secret documents stored on computer servers, including pricing terms, technical specs and pending projects.  WEC had a corporate policy that prohibited employees from using corporate information without authorization or downloading it to a personal computer. “These policies did not restrict Miller’s authorization to access the information, however.”  P. 4.  WEC alleged that Miller emailed the confidential data to his personal computer, thereby accessing the information without authorization per the corporate policy.  Therefore, WEC alleged that employee Miller violated corporate policy regarding access and use of the WEC computer data.

Commentary: The WEC and Nosal decisions are contrary to decisions in the 11th, 5th and 7th Circuits.   United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010); United States v. John, 597 F.3d 263 (5th Cir. 2010); and Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006).  One reoccurring legal principle is that the CFAA is both a criminal statute and a civil statute.  Therefore, both WEC and Nosal narrowly construed the Act.

“Thus, faced with the option of two interpretations [of the term ‘so’], we yield to the rule of lenity and choose the more obliging route. ‘[W]hen [a] choice has to be made between two readings of what conduct Congress has made a crime, it is appropriate, before we choose the harsher alternative, to require that Congress should have spoken in language that is clear and definite.’ United States v. Universal C. I. T. Credit Corp., 344 U.S. 218, 221-22 (1952); see also Nosal, 676 F.3d at 863. Here, Congress has not clearly criminalized obtaining or altering information ‘in a manner’ that is not authorized. Rather, it has simply criminalized obtaining or altering information that an individual lacked authorization to obtain or alter.”  P. 11.

Related Posts